Texas recently ended its lawsuit against the U.S. Department of Health and Human Services (HHS) on November 20, 2025. The decision follows both sides filing a Joint Stipulation of Dismissal without Prejudice in the Northern District of Texas, Lubbock Division, before Judge James Wesley Hendrix.
What happened
The filing tells the judge that Texas is choosing to drop the case voluntarily and that HHS agrees to the dismissal. Because the dismissal is without prejudice, Texas preserves the option to bring the same claims again in the future. Both sides agreed to cover their own legal fees and costs, and they asked the court to close the matter. The dismissal marks a clean procedural exit from the litigation with no ruling on the merits and no obligations imposed on either party.
The backstory
Texas sued the HHS on September 4, 2024, in a challenge to the two privacy-related rules under HIPAA. These were the 2000 Privacy Rule and the newly issued 2024 Privacy Rule. The 2024 rule strengthened protections for reproductive healthcare and broadly included definitions for abortion, gender affirming care, contraception, and other reproductive-related medical care.
The basis for Texas’s argument was that they believed those rules illegally limited the state’s ability to access protected health information (PHI) for state investigations. The state maintained that the HHS lacked the authority to impose sweeping restrictions on disclosure.
What was said
According to the Memorandum of Law of Proposed Intervenor-Defendants in Opposition to Plaintiff’s Cross-Motion For Summary Judgment, “The confidentiality of patient health information is a cornerstone of effective health care. For 25 years, patient privacy protections have been governed by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) (Pub. L. 104–191, 110 Stat. 1936). HIPAA and its implementing regulations (the “Privacy Rules”) ensure that identifiable patient information is used and disclosed appropriately. Patients and clinicians alike rely on the protections afforded by the statute to use and disclose patient information efficiently, effectively, and in a confidential manner. At the beginning of this lawsuit, Plaintiff challenged both the Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82462 (Dec. 28, 2000) (codified at 45 C.F.R. pts. 160, 164) (the “2000 Privacy Rule” or the “2000 Rule”) and the HIPAA Privacy Rule to Support Reproductive Health Care Privacy, 89 Fed. Reg. 32976 (Apr. 26, 2024) (codified at 45 C.F.R. pts. 160, 164) (the “2024 Rule” or the “Rule”). Both challenges fail.”
Why it matters
The dispute is comparable to Purl v. HHS, where a Texas physician successfully challenged the same 2024 reproductive health amendment and won in June 2025. The ruling vacated most of the rule after the court found it unlawfully overrode state-mandated reporting duties. The ruling strengthened the state's argument that the HHS was encroaching on areas regulated by state entities.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
Who regulates data privacy in the United States, states or the federal government?
Both do. The federal government sets baseline privacy rules through laws like HIPAA, GLBA, COPPA, and the FTC Act, while states create their own privacy laws that can be stricter or broader than federal requirements.
When does federal law override state data-privacy law?
Federal law preempts state law when the two conflict or when Congress clearly intended the federal rule to be the controlling authority. HIPAA uses a floor-not-ceiling model, so stricter state health-privacy laws can still apply unless they contradict federal requirements.
Can states enforce their own privacy laws even if federal laws exist?
Yes. States routinely pass and enforce their own privacy statutes, such as the Texas Data Privacy and Security Act (TDPSA), the California Consumer Privacy Act (CCPA), and biometric-privacy laws.
Kirsten Peremore
